Web Authentication 1.1.1.1/login Redirect Issue - Wireless LAN Controller

Document

Thu, 02/25/2016 - 16:52
Apr 24th, 2015
User Badges:
  • Gold, 750 points or more

Introduction

Cisco Wireless 1.1.1.1/login.html redirect issues.

Scenario 1

User was using WLC 5500 controller and once the end clients get the DHCP address but the page is not redirecting them to the guest portal.

What is the best way to check as to why the redirection is failing?

More Information

That usually points to dns. Is the home page an https, if so, the user will not get redirected. The WLC intercepts the home page when the users opens up a browser and then verifies that dns can resolve the home page. If so, the WLC pushes the WebAuth page to the user. If not, the WLC dies nothing. If your using a 3rd part certificate to get rid of the certificate error, you need to make sure the fqdn can be resolved by the dns the clients are going to use.

Dns should resolve the initial url request then wlc hacks that packet and replace it with 1.1.1.1 instead of the resolved address to show the splash page to user, either u can use the public dns or insider dns that resolves the initial url request.

once client connected to webauth wlan and got an ip, manually type https://1.1.1.1/login.html, does it shows the cert warning and splash page after that, if not try with diff device, could be a browser issue. if it brings the page then like scott mentioned check the dns works thru nslookup.

Troubleshooting Steps

The main thing if the webauth page does not appear is due to the clients homepage being https not http or dns issues.  If you remove the webauth and associate to the ssid, can you access the internet?  This will prove that dns is working okay from the guest users. 

Solution 1

User followed the below mentioned steps and resolved the issue:

  • Under Interfaces, virtual interface for 1.1.1.1
  • Navigate to the Controller > Interfaces menu from the WLC GUI in order to assign a DNS hostname to the virtual interface. Removed the entry for DNS Host Name and set it to blank.
  • Tested and the redirect seems to work fine.

Web Authentication Redirection Process

 

Scenario 2

Clients Redirected to External Web Authentication Server Receive a Certificate Warning

Problem: When clients are redirected to Cisco's external web authentication server, they receive a certificate warning. There is a valid certificate on the server, and if you connect to the external web authentication server directly the certificate warning is not received. Is this because the virtual IP address (1.1.1.1) of the WLC is presented to the client instead of the actual IP address of the external web authentication server that is associated with the certificate?

Solution 2

Yes. Whether or not you perform local or external web authentication, you still hit the internal web server on the controller. When you redirect to an external web server, you still receive the certificate warning from the controller unless you have a valid certificate on the controller itself. If the redirect is sent to https, you receive the certificate warning from the controller and from the external web server, unless both have a valid certificate.

In order to get rid of the certificate warnings all together, you need to have a root level certificate issued and downloaded onto your controller. The certificate is issued for a host name and you put that host name in the DNS host name box under the virtual interface on the controller. You also need to add the host name to your local DNS server and point it to the virtual IP address (1.1.1.1) of the WLC.

Scenario 3

Error: "page cannot be displayed"

Problem: After the controller is upgraded to 4.2.61.0, the "page cannot be displayed " error message appears when you use a downloaded web page for web authentication. This worked well prior to the upgrade. The default internal web page loads without any problem .

Solution 3

From the WLC version 4.2 and later a new feature is introduced wherein you can have multiple customized login pages for Web authentication.

In order to have the web page load properly, it is not sufficient to set the web-authentication type as customized globally in the Security > Web Auth > Web login page. It must also be configured on a particular WLAN . In order to do this, complete these steps:

  1. Log into the GUI of the WLC.
  2. Click on the WLANs tab, and access the profile of the WLAN configured for Web-authentication.
  3. On the WLAN > Edit page, click the Security tab. Then, choose Layer 3.
  4. On this page, choose None as the Layer 3 Security.
  5. Check the Web Policy box, and choose the Authentication option.
  6. Check the Over-ride Global Config Enable box, choose Customized (Downloaded) as the Web Auth Type, and select the desired login page from the Login Pagepull down menu. Click Apply.

Reference

Loading.
George Stefanick Fri, 04/24/2015 - 18:17
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

A source of pain for many when they get into Cisco Wireless Guest services. Great post to point users to for information with very informative links. Thanks for sharing Vinay! +5

Vinay Sharma Fri, 04/24/2015 - 08:55
User Badges:
  • Gold, 750 points or more

We are just facilitators, we would like to thank you guys for your expertise and enthusiasm for helping community users. Hope to see you sometimes :-)

shubhi013 Thu, 02/25/2016 - 16:52
User Badges:

Hi Vinay,


I am facing a similar issue wherein the following happens:

The user is having troubles to connect external guests with external laptops to connection “guest”:

 

  •     The external laptops are able to connect to guest wifi connection but they are struggling to open the Cisco logon page at the internet browser.
  •     So they have to type manually the Cisco we address (https://1.1.1.1/login) in order to reach the web page
  •      Is very common that the browser detects the web page as a website with certificate security problems, so I have to hit the option: Go to this website (Not recommended)
  •     Once I get into the Cisco login I type the credentials. User name: guest / Password: xyz
  •     When I hit Submit the browser say the page couldn’t be found and then there is no way I can give access to internet to that external laptop

What are my options here?

How can i troubleshoot this? All i have is the access to the router.

Kindly help.

Regards,

Shubham

Actions

This Document

Related Content